- last edited on by
reaper
1. Create a Custom URL Category with * under ‘sites’ (Objects >> Custom Objects >> URL Category >> Add)
2. Create a URL Filtering Profile & set your Custom Category action to “alert” (Objects >> Security Profiles >> URL Filtering >> Add)
Tick the box to log XFF on the ‘URL Filtering Settings’ tab…
3. Create a syslog server profile & modify the custom log format settings for URL (Device >> Server Profiles >> Syslog >> Add)
4. Create a Log Forwarding Profile & point it at your syslog server (Objects >> Log Forwarding >> Add)
Make sure your Log Type is ‘url’…
5. Apply both the URL Filtering & Log Forwarding Profiles to your Security Policy rules (Policies >> Security)
6. Commit your configuration, and observe this expected warning message
7. To test, you can use a free extension to Firefox called “Modify Header Value (HTTP Headers) by Milen Monrov. Type ‘about:addons’, click on ‘More’ & scroll down. You will have an opportunity to setup a header insertion rule like I have…
If I scroll to the right, you can see I am inserting a value of 1.1.1.1…
8. Pick a cleartext site against which you can validate that the header insertion is working (I use http://www.xhaus.com/headers)
9. Validate that the log data being sent by the firewall includes your expected values (ultimately this will match the string setting from step #3 above, which in my case is sip=$src,xff=$xff,dip=$dst,url=$misc). you can apply the wireshark display filter 'syslog' to match only what we are after...
NOTE: Your browser will likely be sending traffic in the background that does not fire the XFF extension tool (safe browsing, etc.). Do not be alarmed if this type of traffic does not display an XFF value.
To prevent additional information leakage of the IP address, you should enable this option (Device>Setup>Content-ID>X-Forwarder-for Headers):
